Compliance Blog

Apr 13, 2022

NCUA Issues Cybersecurity Alert on Increased Likelihood of Cyberattacks on Financial Institutions

In compliance, you have to know a little bit about a lot, and be willing to work closely with other teams to ensure that everything is working together to ensure a compliant organization.  That happens to include having some IT-related knowledge, especially in the realm of information and cyber security.  That’s what this post will cover; feel free to chat with your leaders and IT teams (after reading this, of course) to confirm that your credit union is up to snuff when it comes to detecting and stopping potential cyberattacks.

In February, NCUA issued a cybersecurity alert, citing two recent alerts from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) related to current geopolitical events, especially those stemming from “Russian state-sponsored cyber threats.”  In NCUA’s alert, it encourages credit unions of all sizes to “adopt a heightened state of awareness and to conduct proactive threat hunting,” and to review the two CISA alerts and take action to implement any applicable recommendations.

The first CISA alert is a joint Cybersecurity Advisory, with the FBI and NSA as co-authors.  The advisory outlines Russian state-sponsored cyber operations, commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations, and is aimed at helping “the cybersecurity community reduce the risk presented by these threats.”  The advisory warns that Russian state-sponsored actors have shown advanced capabilities and a proficiency in maintaining long-term undetected access to compromised environments by using legitimate credentials.

The advisory suggests implementing detection protocols, such as robust log collection and retention, looking for behavioral evidence or network and host-based artifacts from known Russian state-sponsored TTPs (a helpful chart is included with commonly observed TTPs), and taking note of unexpected equipment behavior, such as unexpected reboots or log-ins.

If potential activity is detected, the advisory recommends organizations utilize the following incident response steps:

  1. “Immediately isolate affected systems.
  2. Secure backups.  Ensure your backup data is offline and secure.  If possible, scan your backup data with an antivirus program to ensure it is free of malware.
  3. Collect and review relevant logs, data, and artifacts.
  4. Consider soliciting support from third-party IT organizations to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-up on exploitation.
  5. Report incidents to CISA and/or the FBI via your local FBI field office of the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.”

The advisory also discusses mitigation tactics that credit unions can consider implementing to increase their cyber resilience against the threat.  First is to be prepared: confirm reporting processes and minimize coverage gaps, as “malicious cyber actors are known to target organizations on weekends and holidays when there are gaps in organizations cybersecurity.”  Next is to create, maintain, and exercise a cyber incident response, resilience plans, and continuity of operations plan (business continuity plan/BCP).  Ensure that all personnel know which steps to take in the event of an incident, so they can stay calm and work together.  Another step is to enhance the credit union’s cyber posture, and follow the advisory’s best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.

The second CISA alert referenced in NCUA’s release is a CISA Insights alert on implementing cybersecurity measures now to protect against potential critical threats.  This alert reminds all organizations that they are all “at risk of cyber threats that can disrupt essential services and potentially result in impacts to public safety.”  The alert provides a helpful checklist of steps that credit unions can take to reduce the likelihood and impact of a potential cyberattack. 

Some steps to consider (among others) include:

  • Reduce the likelihood of a damaging cyber intrusion
    • Validate that all remote access to the credit union’s network and privileged or administrative access requires multi-factor authentication.
    • Ensure that all software is up to date, and prioritize updates that address known exploited vulnerabilities identified by CISA.
  • Take steps to quickly detect a potential intrusion
    • Ensure that personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior.
    • Confirm that the credit union’s entire network is protected by antivirus/antimalware software and that signatures in those tools are updated.
  • Ensure that the credit union is prepared to respond if an intrusion occurs
    • Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal, and business continuity.
    • Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Check out NCUA’s Cybersecurity Resources page and CISA’s website for more information on preparing for and mitigating potential cyberattacks.